Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

European Union: Proposed Directive on Airlines’ Passenger Data Transfer

(Feb. 7, 2011) On February 2, 2011, the European Commission made public a proposal for a new European Union directive aimed at fighting serious crime and terrorism through uniform regulation of Passenger Name Record (PNR) sharing between airline carriers and EU law enforcement authorities. Some EU Member State agencies already gather PNR data, but thus far the EU has lacked a uniform approach for regulating use of the information, which is provided by passengers and collected by carriers in the process of reserving and booking tickets and checking in for flights. (Emma Portier Davis, EC Published Proposal for EU Directive on Passenger Name Record Data Sharing, 23 PRIVACY LAW WATCH (Feb. 3, 2011), Bureau of National Affairs online subscription database; Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime, COM(2011) 32 final, 2011/0023 (COD) (Feb. 2, 2011), European Commission website,

According to Cecila Malmström, European Commissioner for Home Affairs:

This proposal for an EU PNR Directive is an important part of EU security policy. Common EU rules are necessary to fight serious crime such as drugs smuggling and people trafficking as well as terrorism, and to ensure that passengers' privacy is respected and their rights fully protected in all Member States. The proposal requires Member States to anonymise all PNR data that is collected … . (Press Release, IP/11/120, RAPID, EU Proposal for Passenger Data to Fight Serious Crime and Terrorism (Feb. 2, 2011),

Under the proposal, air carriers would transfer PNR data of passengers on international flights (i.e., flights entering or leaving from the EU) to a dedicated unit in the Member State of arrival or departure. Such units must keep the data secure and be monitored by an independent data protection authority. The data will be analyzed and retained by Member States for such purposes as preventing and investigating serious crime, including terrorist offenses. (Id.)

There are to be clear rules on how data is to be transferred, e.g., on the number of times transfers may occur from the air carriers to Member States and on the security of the transfers, so as to limit the impact on privacy and minimize the costs for the carriers. Member States will not have access to the air carriers' databases; they must request the data and have it sent to them by the carriers concerned. There are also to be clear rules on the passengers' rights to accurate information on PNR data collection; to access, rectification, and deletion of their data; and to compensation and judicial remedies. (Id.)

The proposed directive seeks to provide strong privacy and personal data protection by:

  • Restricting use of PNR data to the strict purpose of fighting ordinary serious crime and terrorist offenses;
  • Requiring that Member State law enforcement authorities make the data anonymous one month after the flight and retain the data no more than five years in total; and
  • Prohibiting the transfer of “sensitive data that could reveal racial or ethnic origin, political opinions, or religious beliefs.” (Id.)

The proposal must be negotiated and approved by the EU Council of Ministers and the European Parliament, a process that is expected to take about two years. It will supersede the 2007 Council Framework Decision on the Use of Passenger Name Record (PNR) for Law Enforcement Purposes that had been adopted by the Commission, but not the Council; that Decision became obsolete with the entry into force of the Lisbon Treaty, the agreement that amends two prior treaties that form the constitutional framework of the EU. (Id.; Press Release, RAPID, Memo/11/60, EU Passenger Name Record (PNR) – Frequently Asked Questions, (Feb. 2, 2011),

The proposed directive is distinct from the provisionally applicable PNR agreements that already exist between the EU and third countries. There are currently three such agreements, with the United States, Canada, and Australia. In September 2010, the European Commission adopted a package of proposals on the exchange of PNR data with third countries, among them recommendations for negotiating directives for new PNR agreements with those three nations. Negotiations have since begun. (Press Release, RAPID, Memo/11/60, supra; see also Theresa Papademetriou, European Union: Agreements with Third Countries on Passenger Name Records for Terrorism Purposes, GLOBAL LEGAL MONITOR (Oct. 6, 2010), //